I have seen conflicting answers on this and am confused about what should and shouldn't work.
In inputs.conf on our forwarders we configure the following (as an example):
[default]
_meta=environment::production cluster:: region::ap-southeast-2 role::logging subrole:: instance_type::t2.large
On the IX/SH we configure the following in fields.conf (snippet):
[environment]
INDEXED = False
INDEXED_VALUE = False
[cluster]
INDEXED = False
INDEXED_VALUE = False
[region]
INDEXED = False
INDEXED_VALUE = False
The docs lead me to believe that by specifying INDEXED = False , the field would not be treated as an indexed value.
But no matter what combination of values in fields.conf, I get the following behaviour in searches:
environment=production ==> 0 results
environment::production ==> all results matching that meta tag
environment="*production*" --> all results matching that meta tag, + some spurious matches of production in the raw text
The reason this is important is because non-technical users use the interface to try and drill down on search results, and find no end of frustrating where clicking on the auto-extracted interesting or selected fields on the left, selecting for example the production value for cluster , which appends cluster=production to the search, and immediately yields no results.
What I want to know is how can I get meta fields to simply be treated as a regular non-indexed field?
... View more